4.14. Maintaining Application Boundaries
4.14. Maintaining Application Boundaries
Because multiple applications can share the same HTTP server or domain, it's important to maintain clear boundaries between them to avoid conflicts and security issues.
Applications SHOULD:
-
Use distinct URL paths (or subdomains) to avoid conflicts with other applications.
-
Clearly document the URL space they use.
-
Avoid making assumptions about what other applications might be running on the same server.
-
Be aware that cookies [COOKIES] and other browser state mechanisms are often scoped to domains rather than specific paths, which can lead to unintended sharing of state between applications.
Applications SHOULD NOT:
-
Assume they have exclusive access to the entire domain.
-
Use URL patterns that might conflict with common conventions (e.g.,
/admin,/api). -
Rely on a specific server configuration that might not be applicable when the application is deployed.
See [RFC6454] for information about the Web Origin concept, which is fundamental to how browsers enforce boundaries between applications.